Comcast Completes DNSSEC Deployment

By Jason Livingood
|
Jan 10, 2012

I am pleased to announce that Comcast, the largest ISP in the U.S., is the first large ISP in the North America to have fully implemented Domain Name System Security Extensions (DNSSEC). As part of our ongoing efforts to protect our customers, DNSSEC is now automatically included as part of Comcast Constant Guard™ from Xfinity.

We have worked hard to be a leader with our DNSSEC deployment. As of today, over 17.8M residential customers of our Xfinity Internet service are using DNSSEC-validating DNS servers. In addition, all of the domain names owned by Comcast, numbering over 5,000, have been cryptographically signed. All of our servers, both the ones that customers use and the ones authoritative for our domain names, also fully support IPv6.

ICANN in 2010 took the first step, by signing the global DNS root. After that, many top-level domains (TLDs) such as .COM, .NET, .ORG, and .GOV have followed suit and signed their respective TLDs. This has enabled ISPs like Comcast to both sign domain names in DNSSEC-enabled TLDs, and also to validate DNSSEC when our customers use the Internet.

For background, ISPs play two roles in DNSSEC. The first role is perhaps the most critical, which is validating DNSSEC as part of the DNS lookups performed for our customers. These lookups occur when a customer tries to access a site, such as www.comcast.com. Then, when a customer tries to connect to that website, a Comcast DNS server checks that domain name, and verifies that signature to ensure that it is valid and has not been tampered with by hackers or other criminals. The second role is to cryptographically sign the domain names that we own, such as xfinity.com, so that when our customers or others using DNSSEC try to connect to services in those domains, they can validate the security of the associated DNS responses.

Now that nearly 20 million households in the U.S. are able to use DNSSEC, we feel it is an important time to urge major domain owners, especially commerce and banking-related sites, to begin signing their domain names. While in the past those domains may have wanted to do so but felt it would have limited effect, they now can work on signing their domains knowing that the largest ISP in the U.S. can validate those signatures on behalf of our customers.